<html>
<head>
<title>Check possibility to directly access an iframe's document of a third party site after redirect.</title>
<script type="text/javascript" src="/shared/scripts/testcase.js"></script>
<script type="text/javascript">
if (window.addEventListener) {
	window.addEventListener('load', f, false);
} else if (window.attachEvent) {
	window.attachEvent('onload', f);
} else {
	window.onload = f;
}

function f() {
	var tc = new TestCase();
	tc.input = 'var same_ifr = document.getElementById(\'ifr_same\')...document; var cross_ifr = document.getElementById(\'ifr_same\')...document;';
	tc.description = 'Check possibility to directly access an iframe\'s document of a third party site after redirect.';
	tc.expected_result = "undefined or exception occurred.";
	tc.test_passed = 'false';
	var same_ifr = document.getElementById('ifr_same');
	tc.output += '\nSAME ORIGIN\n';
	
	try {
		tc.output += 'document: ' + tc.readOriginBody(same_ifr) + '\n';
	} catch(e) {
		tc.output += 'exception occurred accessing document: ' + tc.outputException(e);
		// could probably bomb out of the test at this point....
	}
	
	// now check cross origin...
	var cross_ifr = document.getElementById('ifr_cross');
	tc.output += '\nCROSS ORIGIN\n';
	try {
		tc.output += 'cross origin document: ' + tc.checkOriginDocument(cross_ifr);
		tc.result = 'cross origin potentially readable.';
		if (tc.checkOriginDocument(cross_ifr) == undefined) {
			tc.test_passed = 'true';
			tc.result = 'undefined';
		} else {
			tc.test_passed = 'false';
		}
	} catch(e) {
		tc.output += 'exception occurred accessing remote document: ' + tc.outputException(e);
		tc.result = 'exception occurred';
		tc.test_passed = 'true';
	}
	// only fires if we can access remote document and it's not null.
	if (tc.test_passed == 'false') {
		try {
			tc.output += 'cross origin data: ' + tc.readOriginBody(cross_ifr) + '\n';
			tc.result = 'document readable';
		} catch(e) {
			// we should *hopefully* at least get here...
			tc.output += 'exception occurred accessing cross origin document: ' + tc.outputException(e);
			tc.result = 'exception occurred';
			tc.test_passed = 'true';
		}
	}
	tc.saveTest(); // save the test results.
}
</script>
</head>
<body>
	<iframe id="ifr_same" src="/allowed.html"></iframe>
	<iframe id="ifr_cross" src="/redirect?loc=http://victim.com/forbidden.html"></iframe>
</body>
</html>